Docker Go module CVE assessment
Date: 2026-05-19
Summary
eirctl depends on github.com/docker/docker v28.5.2+incompatible, which is currently reported as affected by CVE-2026-42306, CVE-2026-41567, and CVE-2026-41568 in versions <= 28.5.2. No patched version of the Go module is currently available.
Based on the current eirctl codebase, the vulnerable Docker daemon code paths are not invoked by eirctl. The project uses the Docker Go client to create, start, attach to, stream logs from, inspect, stop, remove, and pull containers. It does not use Docker archive copy APIs such as CopyToContainer, CopyFromContainer, ContainerArchive, or PutContainerArchive, and it does not implement a docker cp equivalent.
Our position is that the dependency should remain tracked as a remediation item, but the known exploit preconditions for these CVEs are not met by eirctl's current Docker integration.
Dependency usage
The direct Docker module imports are limited to the container runner implementation:
runner/executor_container.go
runner/container_opts_unix.go
runner/container_opts_windows.go
runner/container_auth.go
- associated tests in
runner/executor_container_test.go
The runtime Docker API surface used by eirctl is:
- image pull with registry authentication;
- container create and start;
- container attach for interactive shell mode;
- container resize for interactive terminal sessions;
- container logs streaming;
- container wait and inspect;
- container stop and remove.
The code does not call archive upload, archive download, or copy APIs.
CVE exposure assessment
| CVE |
Reported vulnerable behavior |
eirctl usage assessment |
Exploitability through eirctl |
| CVE-2026-42306 |
docker cp / archive copy race condition can redirect file operations to unintended host paths. |
eirctl does not call Docker copy/archive APIs or provide a copy-to/from-container feature. |
Not exploitable through current eirctl code paths. |
| CVE-2026-41567 |
Docker daemon archive upload processing may resolve decompression helpers from a container-controlled path, allowing host code execution when uploading compressed archives to a malicious container. |
eirctl does not upload archives into containers. It starts containers with bind mounts and streams process output only. |
Not exploitable through current eirctl code paths. |
| CVE-2026-41568 |
docker cp / archive copy race condition can write files outside the intended container boundary. |
eirctl does not invoke Docker copy/archive functionality. |
Not exploitable through current eirctl code paths. |
eirctl can run untrusted container images if a user chooses to configure them, and it can bind mount host paths into those containers when container mounting is enabled. That is a separate and expected container-runner trust boundary: a malicious image can act on any writable host paths explicitly mounted into it. This is not the vulnerable Docker archive/copy behavior described by the CVEs above.
Current risk position
The current risk is assessed as low for eirctl itself because:
- The vulnerable API class is not used.
- The project does not expose Docker daemon access as a network service.
- Container images, mounts, users, capabilities, extra hosts, and registry authentication are provided by local configuration and passed to the Docker daemon without using archive copy operations.
The residual risk is dependency and environment based:
- Security scanners will continue to report the vulnerable module until an upstream patched release is available and adopted.
- A future eirctl feature that copies files into or out of containers could introduce exposure if implemented using affected Docker archive APIs before an upstream fix is available.
- The host Docker daemon may still be vulnerable to these CVEs when other tools or users invoke
docker cp or archive upload APIs against malicious containers.
Remediation plan
- Track the upstream Docker/Moby advisory and update
github.com/docker/docker as soon as a patched version is released.
- Until a patched module is available, document this assessment in vulnerability management records as "not exploitable through current eirctl usage" rather than suppressing the finding without context.
- Do not add Docker copy/archive functionality to eirctl while the dependency remains unpatched. If such functionality becomes necessary, require a dedicated security review before implementation.
- Prefer trusted, pinned container images in eirctl configuration, especially where bind mounts are enabled.
- Keep host Docker daemon access restricted to trusted users and automation identities; eirctl users with Docker socket access effectively have elevated host capabilities independent of these CVEs.
- Re-run dependency scanning after each Docker module update and revise this report if the upstream vulnerability details or eirctl's Docker API usage changes.
Review triggers
Reassess this position if any of the following occur:
github.com/docker/docker publishes a patched version for these CVEs;
- eirctl adds file copy, archive upload, archive download, image export/import, or build-context upload functionality;
- the project starts exposing Docker API operations through a service boundary;
- new advisory details identify additional affected APIs beyond Docker archive/copy handling.
Docker Go module CVE assessment
Date: 2026-05-19
Summary
eirctl depends on
github.com/docker/docker v28.5.2+incompatible, which is currently reported as affected by CVE-2026-42306, CVE-2026-41567, and CVE-2026-41568 in versions<= 28.5.2. No patched version of the Go module is currently available.Based on the current eirctl codebase, the vulnerable Docker daemon code paths are not invoked by eirctl. The project uses the Docker Go client to create, start, attach to, stream logs from, inspect, stop, remove, and pull containers. It does not use Docker archive copy APIs such as
CopyToContainer,CopyFromContainer,ContainerArchive, orPutContainerArchive, and it does not implement adocker cpequivalent.Our position is that the dependency should remain tracked as a remediation item, but the known exploit preconditions for these CVEs are not met by eirctl's current Docker integration.
Dependency usage
The direct Docker module imports are limited to the container runner implementation:
runner/executor_container.gorunner/container_opts_unix.gorunner/container_opts_windows.gorunner/container_auth.gorunner/executor_container_test.goThe runtime Docker API surface used by eirctl is:
The code does not call archive upload, archive download, or copy APIs.
CVE exposure assessment
docker cp/ archive copy race condition can redirect file operations to unintended host paths.docker cp/ archive copy race condition can write files outside the intended container boundary.eirctl can run untrusted container images if a user chooses to configure them, and it can bind mount host paths into those containers when container mounting is enabled. That is a separate and expected container-runner trust boundary: a malicious image can act on any writable host paths explicitly mounted into it. This is not the vulnerable Docker archive/copy behavior described by the CVEs above.
Current risk position
The current risk is assessed as low for eirctl itself because:
The residual risk is dependency and environment based:
docker cpor archive upload APIs against malicious containers.Remediation plan
github.com/docker/dockeras soon as a patched version is released.Review triggers
Reassess this position if any of the following occur:
github.com/docker/dockerpublishes a patched version for these CVEs;